Hi,
I'm going to be setting a machine on DMZ - in the hope to make it totally unsecure, as if directly connected to my modem, without the router or any firewall present - will this work?
Also, as it's for a project, I was wondering if anyone knows where I can find some technical information explaining how DMZ works, and how it makes it open, and if any security measures are in place then I need to know about them, etc.
Thanks
Well...where to start?
Note 1: What Industry calls a DMZ
----------------------------------
The idea of a Demilitarized Zone (DMZ) is to, in the strictest sense, separate a device from other, more trusted or vulnerable devices by placing it in a separate network segment. By so doing, policies can be defined on the security appliance that establishes the DMZ that will provide different levels of protection to devices in the DMZ. The common thought with a DMZ is that devices in the DMZ should not be able to establish a connection with a device in more trusted parts of the networks by default, thereby eliminating the threat of a compromised device in the DMZ being able to wreck havoc on other parts of your network. Similarly, devices in the DMZ are typically the server side of client/server and the security appliance will allow the Internet to establish a connection to the DMZ host but not vice versa. Cisco devices that are configurable for separate hardware DMZ interfaces include the Cisco PIX 515E, 525, 535 as well as the newer ASA 5505 (new product...SOHO), 5510, 5520, 5540 & 5550 (new product....enterprise)
Note2: SOHO Devices -- the Software DMZ
------------------------------------------
That was common, best practices. However, the premise of a DMZ on a Linksys box (and other SOHO devices such as D-Link, SMC, Netgear, etc.) is that a device that is in the DMZ should have no protection, with the exception perhaps of DoS (Denial of Service) protection. Devices on the Internet should be able to initiate a connection with the device in the DMZ without being blocked. The cynic in me says that this was an early workaround to the problems with non-stateful, simple NAT firewalls where establishing a server "behind" the firewall was problematic at best. Online gamers, and anyone trying to run a server on the Internet would have big issues if the device didn't properly handle inbound connections to these devices. It was easier for manufacturers to just simply say "to heck with this", and create a simple rule where one device could be exposed. Any IP traffic, regardless of protocol, is forwarded to this "DMZ Host". Then the rule becomes much simpler...any inbound IP protocols: TCP, UDP, ESP, ICMP, whatever would be allowed to communicate with this exposed host. Only problem (still) is, the DMZ host is often on the same physical segment and shares the same subnet as other non-DMZ hosts. Compromise the DMZ host and you are now a privileged user on the INSIDE of the security appliance...free to cause mayhem. This isn't as bad as it sounds since most smart people will have a software firewall (Windows XP SP2 Firewall is stateful, and not too bad) on the other inside hosts but you never know.... Examples in the Linksys line of this type of DMZ include
WRT54G, WRT54GS, WRT300N, WRT350N, WRT54LSGS, WRV200. In the Cisco product line the Cisco PIX 501, 506E and ASA 5505 would be examples.
Note 3: Hybrid DMZ
--------------------
Anyway, the software DMZ is a neat trick but --- and this might be just me --- an unnecessary vulnerability. Better to buy a box like the RV042 (like the one I'm using) which allows you the benefit of a separate segment and subnet where you can put your DMZ hosts. In this scenario, it's actually a hybrid of the last two ideas. By default the device in the DMZ *can* initiate a connection to inside hosts *but* this connection establishment is managed and inspected by the stateful firewall. The stateful firewall will provide protection against DoS as well as common Internet attacks such as FIN Scans, Pings of Death, Teardrop, Smurf, etc. If you're really paranoid, you can, for example, create separate rules on the RV042 (also the RV016, RV082 and WRV54G) which will deny connections being established by the DMZ host to the inside LAN if you want. This will not prevent hosts on the inside LAN (nor the Internet) to establish connections *to* the DMZ and essentially best practices anyway (see note 1)
This is by no means a complete description but is based on my own experience with these things. This is also, in a nutshell, how I explain the different solutions to my customers.
Google's your friend for definitions, BTW. Also check NIST, SANS, and NSA and use their search functions to look for a more authoritative description.
/Eric
